From 7405044fb51dcca31849cc1187ce4a806a8e2e66 Mon Sep 17 00:00:00 2001
From: Micheal Wilkinson <micheal.wilkinson@createfuture.com>
Date: Sat, 21 Mar 2026 20:58:17 +0000
Subject: [PATCH] chore(go): annotate intentional command execution for gosec

---
 internal/homesick/core/core.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/internal/homesick/core/core.go b/internal/homesick/core/core.go
index 7ad2183..581d669 100644
--- a/internal/homesick/core/core.go
+++ b/internal/homesick/core/core.go
@@ -299,7 +299,8 @@ func (a *App) Open(castle string) error {
 	}
 
 	castleRoot := filepath.Join(a.ReposDir, castle)
-	cmd := exec.Command(editor, ".") // #nosec G204 — EDITOR environment variable is user-set
+	// #nosec G702,G204 -- EDITOR is user-controlled local configuration and command is executed directly without a shell.
+	cmd := exec.Command(editor, ".")
 	cmd.Dir = castleRoot
 	cmd.Stdout = a.Stdout
 	cmd.Stderr = a.Stderr
@@ -801,6 +802,7 @@ func matchesIgnoredDir(castleHome string, candidate string, subdirs []string) (b
 }
 
 func runGitWithIO(dir string, stdout io.Writer, stderr io.Writer, args ...string) error {
+	// #nosec G204 -- git is fixed binary; args are internal command parameters for expected git operations.
 	cmd := exec.Command("git", args...)
 	cmd.Dir = dir
 	cmd.Stdout = stdout
@@ -834,6 +836,7 @@ func (a *App) sayStatus(action string, message string) {
 }
 
 func gitOutput(dir string, args ...string) (string, error) {
+	// #nosec G204 -- git is fixed binary; args are internal read-only git query parameters.
 	cmd := exec.Command("git", args...)
 	cmd.Dir = dir
 	out, err := cmd.Output()